Mechanism for facilitating management of data in an on-demand services environment

ABSTRACT

In accordance with embodiments, there are provided mechanisms and methods for facilitating management of data in an on-demand services environment. In one embodiment and by way of example, a method for facilitating management of data in an on-demand services environment is provided. The method of embodiment includes detecting an attempt by a user to manipulate data via a collaboration application at a computing system, wherein the attempt includes attempted deletion of the data posted for viewing using the collaboration application. The method may further include determining whether the user is authorized to manipulate the data, and blocking the attempt if the user is not authorized to manipulate the data.

CLAIM OF PRIORITY

This application claims the benefit of U.S. Provisional PatentApplication No. 61/507,268, entitled “Methods and Systems for Preventingthe Deletion of Data in an On-Demand Services Environment” by MarcusEricsson, filed Jul. 13, 2011 (Attorney Docket No. 8956P059Z), theentire contents of which are incorporated herein by reference andpriority is claimed thereof.

COPYRIGHT NOTICE

A portion of the disclosure of this patent document contains materialwhich is subject to copyright protection. The copyright owner has noobjection to the facsimile reproduction by anyone of the patent documentor the patent disclosure, as it appears in the Patent and TrademarkOffice patent file or records, but otherwise reserves all copyrightrights whatsoever.

TECHNICAL FIELD

One or more implementations relate generally to data management and,more specifically, to a mechanism for facilitating management of data inan on-demand services environment.

BACKGROUND

Most organizations (e.g., companies, charitable organizations,government organizations, accounting or legal firms, hospitals, smallbusinesses, etc.) have to deal with compliance or securities issues atsome or another. For example, several organizations are increasinglyemploying collaboration software applications (e.g., SharePoint® byMicrosoft®, Yammer®, etc.) for providing in-organization real-timecollaboration (e.g., conversations, user or group followings,receiving/transmitting project updates, customer status, groupmessaging, etc.) between users (e.g., organization's employees,contractors, interns, visitors, etc.). The use of such a collaborationapplication at an organization could often lead to employees postingsensitive posts or messages which may not be deleted for any number ofreasons, such as legal reasons (e.g., evidentiary reasons), securitypurposes, back-up, etc. Conventional collaboration applications orsoftware solutions do not provide the necessary security for theorganization to properly control employee-placed posts, messages, etc.

The subject matter discussed in the background section should not beassumed to be prior art merely as a result of its mention in thebackground section. Similarly, a problem mentioned in the backgroundsection or associated with the subject matter of the background sectionshould not be assumed to have been previously recognized in the priorart. The subject matter in the background section merely representsdifferent approaches, which in and of themselves may also be inventions.

In conventional database systems, users access their data resources inone logical database. A user of such a conventional system typicallyretrieves data from and stores data on the system using the user's ownsystems. A user system might remotely access one of a plurality ofserver systems that might in turn access the database system. Dataretrieval from the system might include the issuance of a query from theuser system to the database system. The database system might processthe request for information received in the query and send to the usersystem information relevant to the request. The secure and efficientretrieval of accurate information and subsequent delivery of thisinformation to the user system has been and continues to be a goal ofadministrators of database systems.

Unfortunately, conventional database approaches might be accessible tounauthorized persons if, for example, any user, as an unauthorizedperson, is able to delete relevant information that is to be preservedby the organization.

SUMMARY

In accordance with embodiments, there are provided mechanisms andmethods for facilitating management of data in an on-demand servicesenvironment. In one embodiment and by way of example, a method forfacilitating management of data in an on-demand services environment isprovided. The method of embodiment includes detecting an attempt by auser to manipulate data via a collaboration application at a computingsystem, wherein the attempt includes attempted deletion of the dataposted for viewing using the collaboration application. The method mayfurther include determining whether the user is authorized to manipulatethe data, and blocking the attempt if the user is not authorized tomanipulate the data.

While the present invention is described with reference to an embodimentin which techniques for facilitating management of data in an on-demandservices environment are implemented in a system having an applicationserver providing a front end for an on-demand database service capableof supporting multiple tenants, the present invention is not limited tomulti-tenant databases nor deployment on application servers.Embodiments may be practiced using other database architectures, i.e.,ORACLE®, DB2® by IBM and the like without departing from the scope ofthe embodiments claimed.

Any of the above embodiments may be used alone or together with oneanother in any combination. Inventions encompassed within thisspecification may also include embodiments that are only partiallymentioned or alluded to or are not mentioned or alluded to at all inthis brief summary or in the abstract. Although various embodiments ofthe invention may have been motivated by various deficiencies with theprior art, which may be discussed or alluded to in one or more places inthe specification, the embodiments of the invention do not necessarilyaddress any of these deficiencies. In other words, different embodimentsof the invention may address different deficiencies that may bediscussed in the specification. Some embodiments may only partiallyaddress some deficiencies or just one deficiency that may be discussedin the specification, and some embodiments may not address any of thesedeficiencies.

BRIEF DESCRIPTION OF THE DRAWINGS

In the following drawings like reference numbers are used to refer tolike elements. Although the following figures depict various examples,one or more implementations are not limited to the examples depicted inthe figures.

FIG. 1 illustrates a computing system employing data managementmechanism according to one embodiment;

FIG. 2A illustrates data management mechanism according to oneembodiment;

FIG. 2B illustrates a network of computing devices using collaborationapplications as facilitated by data management mechanism according toone embodiment;

FIG. 3 illustrates a method for facilitating management of data in anon-demand services environment according to one embodiment;

FIGS. 4A-4D illustrate screenshots representing various processes forfacilitating management of collaboration application-based dataaccording to one embodiment;

FIG. 5 illustrates a computer system according to one embodiment;

FIG. 6 illustrates a block diagram of an environment wherein anon-demand database service might be used according to one embodiment;and

FIG. 7 illustrates a block diagram of an embodiment of elements ofenvironment of FIG. 6 and various possible interconnections betweenthese elements according to one embodiment.

DETAILED DESCRIPTION

Methods and systems are provided for facilitating management of data inan on-demand service environment. A method of embodiments includesdetecting an attempt by a user to manipulate data via a collaborationapplication at a computing system, wherein the attempt includesattempted deletion of the data posted for viewing using thecollaboration application. The method may further include determiningwhether the user is authorized to manipulate the data, and blocking theattempt if the user is not authorized to manipulate the data.

As used herein, a term multi-tenant database system refers to thosesystems in which various elements of hardware and software of thedatabase system may be shared by one or more customers. For example, agiven application server may simultaneously process requests for a greatnumber of customers, and a given database table may store rows for apotentially much greater number of customers. As used herein, the termquery plan refers to a set of steps used to access information in adatabase system.

Next, mechanisms and methods for providing management of data in anon-demand service environment will be described with reference toexample embodiments.

FIG. 1 illustrates a computing system employing data managementmechanism according to one embodiment. In one embodiment, a computingdevice 100 serves as a host machine hosting data management mechanism110 to facilitate management of data, such as data deletion, in anon-demand services environment. Computing device 100 may include mobilecomputing devices, such as cellular phones including smartphones (e.g.,iPhone®, BlackBerry®, etc.), handheld computing devices, personaldigital assistants (PDAs), etc., tablet computers (e.g., iPad®, Samsung®Galaxy Tab®, etc.), laptop computers (e.g., notebooks, netbooks, etc.),e-readers (e.g., Kindle®, Nook®, etc.), etc. Computing device 100 mayfurther include set-top boxes (e.g., Internet-based cable televisionset-top boxes, etc.), and larger computing devices, such as desktopcomputers, server computers, cluster-based computers, etc.

Computing device 100 includes an operating system 106 serving as aninterface between any hardware or physical resources of the computerdevice 100 and a user. Computing device 100 further includes one or moreprocessors 102, memory devices 104, network devices, drivers, or thelike, as well as input/output sources 108, such as touchscreens, touchpanels, touch pads, virtual or regular keyboards, virtual or regularmice, etc. It is to be noted that terms like “node”, “computing node”,“client”, “server”, “machine”, “device”, “computing device”, “computer”,“computing system”, and the like, are used interchangeably andsynonymously throughout this document.

FIG. 2A illustrates data management mechanism according to oneembodiment. In one embodiment, data management mechanism 110 includesvarious components 202, 204, 206, 208, and 210 to offer a number ofservices to facilitate management of data (e.g., data deletion) in anon-demand services environment. For example and in one embodiment, anydata posted or communicated through a collaboration application may bemanaged using the DATA MANAGEMENT mechanism 110. A collaborationapplication (e.g., Chatter® by Salesforce®, SharePoint, Yammer, and thelike) may be employed by an organization (e.g., a company, a charitableorganization, a government organization, an accounting firm, a legalfirm, a hospital, a small business, etc.) to provide internal withinorganization real-time collaboration (e.g., conversations, user or groupfollowings, receiving/transmitting project updates, customer status,group messaging, etc.) between users, such as the organization's owners,employees, members, contractors, interns, visitors, participants, etc.Any data posted or communicated through a collaboration application mayinclude any type or form of data, such as messages, emails, texts,posts, blogs, announcements, pictures, presentations, etc.

Using the collaboration application, any employee of the organizationmay be able to post on the board or communicated (e.g., transmit orreceive) with any number of other employees any type of data (e.g.,messages) that may be sensitive in nature and may be preferred orrequired by the organization that they be protected, such as preventedfrom being deleted. For example, a message posted by a user may havelegal or financial consequences and thus, once posted may not be allowedfrom being deleted. Since not all data is equal, certain individualswithin the organization may have a higher privilege or authorizationwith regard to deletion of data versus the rest of the employees at theorganization. For example, a legal counsel may have far greaterauthority over which emails or posts to delete versus a receptionist asthe legal counsel is regarded as someone having the necessary legalknowledge to determine whether, for example, an email may be sensitivein nature and ought to be deleted or not. Similarly, certain Positionholders (e.g., Central Executive Officer (CEO), Central FinancialOfficer (CFO), Central Technology Officer (CTO), vice presidents,department heads, system administrator, director or manager ofinformation technology (“IT”), software developers, etc.) may havehigher or different authority to delete certain data placed through, forexample, a collaboration application than other employees or personnelor contractors of the organization. Although various position holdersmay have different levels of data control privileges, in one embodiment,the highest data control privileges may be placed with the IT directoror system administrator, etc., given their technological expertise, etc.

In one embodiment, a privilege setting unit 202 may be used to grant auser a certain level of authority to delete certain data being posted orcommunicated through a collaboration application. For example, asaforementioned, a general counsel may have a high level 5 authorityproviding greater privilege and flexibility in deleting data, while areceptionist may have a level 1 authority having much lower (up to zero)privilege and flexibility to delete the collaboration application-baseddata. Other position holders, such as accounts, salespeople, manager,directors, vice presidents, CFO, CEO, CTO, etc., may be given variousappropriate levels of data control privilege and flexibility.

Data management mechanism 110 further provides an attempt detector 204to detect each attempt by a user at deleting a piece of data (e.g.,text, message, email, blog, announcement, pictures, presentations, etc.)posted or communicated using, for example, a collaboration application(e.g., Chatter). Once the attempt is detected, an authentication module206 authenticates the user's authority against the privilege granted bythe privilege setting unit 202. For example, if an accountant of acompany holds the privilege to delete an accounting spreadsheet postedby him to be viewed by other accounts, the accountant will be allowed todelete that spreadsheet. However, if the same account posts a note thatcan be regarded as sensitive (e.g., legally sensitivity due to thenature of the note, such as revealing possible sexual harassment), theaccountant may not be granted the authority to delete that note. In oneembodiment, the accountant may not be able to delete any collaborationapplication-based data, regardless of the nature of the data.

If the user is not given privilege to delete any data or certain data(e.g., the accountant not having the privilege to delete the sensitivenote), the user's attempt is blocked via a block module 208. Forexample, the user may receive a note block stating, for example, thedata cannot be deleted or that the data control privilege is disabled ornot granted, or the like. This way, the deletion of the sensitive datais prevented. In one embodiment, if the user makes multiple attempts(e.g., more than three attempts), a notification or report of thesemultiple attempts may be sent to the system administrator so that anappropriate action may be taken (e.g., the system administrator mayapproach the user or the user's supervisor, etc.) based on thesensitivity of the data and/or the frequency of attempts to delete thedata. If, however, the user is allowed to delete a particular piece ofdata, a confirmation module 210 may display a confirmation choice blockfor the user to confirm proceeding with completing the transaction todelete the piece of data or choose to cancel the transaction.

Further, in one embodiment, a number of overrides may be added, such asfor individual users, specific profiles of individuals or groups, theentire organization, etc. For example, an apex trigger may be added tothe feed post delete or feed comment delete as the apex trigger may thencheck to see if any rules or privileges have been set in the chatterdelete settings as created by privilege setting unit 202. If there arerules or privileges, the apex trigger abides by them. If, however, norules or privileges have been set, the apex trigger may allow thedefault collaboration application rules or setting to stay in place. Thedefault collaboration application settings may depend on the rules setby the maker of the collaboration application or as set by the systemadministrator at the organization. For example, the default settings mayinclude first settings where mostly or all users are allowed to deletetheir feed posts and comments, or second settings that includeorganization-based settings, such as the system administrator may holdall the right and privileges for deleting feed posts and comments. Theapex trigger may be facilitated by, for example, the authentication,block and confirmation modules 206, 208, 210 to perform the variousaforementioned processes.

It is contemplated that any number and type of components may be addedto and removed from data management mechanism 110 to facilitate itsworkings and operability in facilitating management of data (e.g., datadeletion) posted via collaboration applications. For brevity, clarity,ease of understanding and to focus on the data management mechanism 110,many of the conventional or known components of a computing device arenot shown or discussed here.

FIG. 2B illustrates a network of computing devices using collaborationapplications as facilitated by data management mechanism according toone embodiment. In one embodiment, computing device 100 employs datamanagement mechanism 110 and remains in communication with variouscomputing devices 220, 230, 240 being used by various users. Continuingwith the previous example, user may be employees of an organizationcommunicating with each other using a collaboration application 260A,260B, 260C at their respective computing devices 220, 230, 240. Asillustrated the computing devices 220, 230, 240 may be in communicationwith the computing device 100 over a network 250 (e.g., cloud computing,Internet, intranet, Local Area Network (LAN), Wireless LAN (WLAN), WideArea Network (WAN), Metropolitan Area Network (MAN), Personal AreaNetwork (PAN), etc.).

In one embodiment, data management mechanism 110 may be employed at thecomputing device 100 serving as a central or host computing device orserver, but certain components or all of the data management mechanism110 may be employed at one or more of the user computing devices 220,230, 240. The centrally employed data management mechanism 110 may beused to monitor and manage the data being posted or communicated in anymanner between the users using the collaboration application 260A, 260B,260C. For example, a user at computing device 220 posts a message usingcollaboration application 260A for other users to view, but when theuser at computing device 220 (or any of the other users, such as thoseusing the collaboration application 260B, 260C at computing devices 230,240) attempts to delete the post, they may not be able to do so. Asaforementioned, a user (depending on the user profile and the datacontrol privilege level granted to the user by the privilege settingunit 202 of FIG. 2) may be allowed to delete certain posts or messagebuy may not be allowed to delete other as determined and executed by thedata management mechanism 110 at computing device 100 over the network250.

FIG. 3 illustrates a method 300 for facilitating management of datausing a collaboration application in an on-demand services environmentaccording to one embodiment. Method 300 may be performed by processinglogic that may comprise hardware (e.g., circuitry, dedicated logic,programmable logic, microcode, etc.), software (such as instructions runon a processing device), or a combination thereof, such as firmware orfunctional circuitry within hardware devices. In one embodiment, method300 is performed by the data management mechanism 110 of FIGS. 1.

Method 300 begins at block 305 with setting up user profiles to assigndata control privileges to users of an organization using collaborationapplications. In one embodiment, these profiles may be set and the datacontrol privileges may be assigned automatically using the privilegedsetting unit of data management mechanism 110. For example, a new orpromoted or demoted user's (e.g., employee of the organization)information, including the user's position (e.g., accountant) with theorganization, may be fed into an organization database and suchinformation can then be automatically detected and upon detection ofsuch information, a user profile for the purposes of data privileges isset and appropriate data privileges are assigned to the user. Forexample, when a user is promoted from being an accountant to accountingmanager, the user's profile is automatically changed and accordingly,appropriate changes are made to the user's data privileges, such as nowhaving greater authority to delete posts or messages placed by the userusing a collaboration application (e.g., Chatter, etc.). It iscontemplated that a system administrator of the organization may haveaccess to user information and can manipulate such information, such asthe user profile or data control privileges, as desired or necessitated.

At block 310, user attempts to manipulate data (e.g., an attempt todelete messages posted or communicated by users using collaborationapplications) are detected using the attempt detector of data managementmechanism. Upon detection, the authentication module of data managementmechanism may authenticate or verify these data manipulation attempts bychecking the user credentials (including data control privileges)against the user information at the database at block 315. At block 320,a determination is made as to whether the user is authorized tomanipulate the data as attempted. If the user is authorized, at block325, the user is allowed to proceed with the manipulation, such asdeleting a collaboration application-based post by the user. At block330, if the user is determined to be not authorized, the user's attemptto manipulate the data is blocked using the block module. At block 335,subsequent to the block, an error message or note is displayed for theuser to notify the user of the block. It is contemplated that a displaydevice may be used to display the error message as well as thecollaboration application, and the like.

FIGS. 4A-4D illustrate screenshots representing various processes forfacilitating management of collaboration application-based dataaccording to one embodiment. FIG. 4A illustrates a screenshot 400representing a user 402 attempting to delete a post 404 by clicking onan x-like character 406. The post is placed by the user 402 using acollaboration application, such as the illustrated Chatter.

FIG. 4B illustrates a screenshot 420 showing an error message 422notifying that the user 402 cannot delete the post attempted inscreenshot 400 of FIG. 4A because the user does not have the authorityor privilege level to delete this or other posts. As illustrated, theerror message 422 further provides an optional choice 426 to the user toprevent the page from creating additional dialogs as well as an okaybutton 424 to remove the message 422 and continue with other tasks.

FIG. 4C illustrates a screenshot 440 that provides the user a choiceblock 442 to either choose to delete the post that the user 402initiated by clicking the x-like character 406 or cancel the deletetransaction. The user 402 may choose to continue with the deletetransaction by clicking the okay button 444 or cancel the deletetransaction by clicking on the cancel button 446. In one embodiment,this block 442 is displayed to the user 402 when the user 402 (or theuser profile) is determined as having the necessary authorization orprivilege level to proceed with the delete transaction to delete thedata post.

FIG. 4D illustrates a screenshot 460 representing a data setting pagethat can be used by a system or IT administrator at an organization toassign, amend, or remove user data control privileges. For example, asillustrated, the system administrator may choose a particular profilefrom the profile drop down menu 462 to assign a particular user profileto the user in accordance with the user's position (e.g., attorney, CFO,software developer, reception, accountant, salesperson, etc.) with theorganization. The system administrator may also choose to type in theuser position in the typing area 464, such as by privilege level (e.g.,free user, level one user, manager-level user, top level user, etc.) orby one of the aforementioned position (e.g., manager, accountant, etc.)to assign data control privileges to the user and can confirm that byclicking the save button 468 or cancel the transaction by clicking thecancel button 470. The same illustrated delete setting technique may beused by the system administrator to amend or remove the data controlprivileges, such as when a user gets promoted or demoted or movesdepartment, or leaves the organization.

FIG. 5 illustrates a diagrammatic representation of a machine 500 in theexemplary form of a computer system, in accordance with one embodiment,within which a set of instructions, for causing the machine 500 toperform any one or more of the methodologies discussed herein, may beexecuted. Machine 500 is the same as or similar to computing system 100of FIG. 1 and/or computing devices 220, 230, 240 of FIG. 2B. Inalternative embodiments, the machine may be connected (e.g., networked)to other machines in a Local Area Network (LAN), an intranet, anextranet, or the Internet. The machine may operate in the capacity of aserver or a client machine in a client-server network environment, or asa peer machine in a peer-to-peer (or distributed) network environment oras a server or series of servers within an on-demand serviceenvironment, including an on-demand environment providing multi-tenantdatabase storage services. Certain embodiments of the machine may be inthe form of a personal computer (PC), a tablet PC, a set-top box (STB),a Personal Digital Assistant (PDA), a cellular telephone, a webappliance, a server, a network router, switch or bridge, computingsystem, or any machine capable of executing a set of instructions(sequential or otherwise) that specify actions to be taken by thatmachine. Further, while only a single machine is illustrated, the term“machine” shall also be taken to include any collection of machines(e.g., computers) that individually or jointly execute a set (ormultiple sets) of instructions to perform any one or more of themethodologies discussed herein.

The exemplary computer system 500 includes a processor 502, a mainmemory 504 (e.g., read-only memory (ROM), flash memory, dynamic randomaccess memory (DRAM) such as synchronous DRAM (SDRAM) or Rambus DRAM(RDRAM), etc., static memory such as flash memory, static random accessmemory (SRAM), volatile but high-data rate RAM, etc.), and a secondarymemory 518 (e.g., a persistent storage device including hard disk drivesand persistent multi-tenant data base implementations), whichcommunicate with each other via a bus 530. Main memory 504 includesemitted execution data 524 (e.g., data emitted by a logging framework)and one or more trace preferences 523 which operate in conjunction withprocessing logic 526 and processor 502 to perform the methodologiesdiscussed herein.

Processor 502 represents one or more general-purpose processing devicessuch as a microprocessor, central processing unit, or the like. Moreparticularly, the processor 502 may be a complex instruction setcomputing (CISC) microprocessor, reduced instruction set computing(RISC) microprocessor, very long instruction word (VLIW) microprocessor,processor implementing other instruction sets, or processorsimplementing a combination of instruction sets. Processor 502 may alsobe one or more special-purpose processing devices such as an applicationspecific integrated circuit (ASIC), a field programmable gate array(FPGA), a digital signal processor (DSP), network processor, or thelike. Processor 502 is configured to execute the processing logic 526for performing the operations and functionality of data managementmechanism 110 as described with reference to FIG. 1 and other figuresdiscussed herein.

The computer system 500 may further include a network interface card508. The computer system 500 also may include a user interface 510 (suchas a video display unit, a liquid crystal display (LCD), or a cathoderay tube (CRT)), an alphanumeric input device 512 (e.g., a keyboard), acursor control device 514 (e.g., a mouse), and a signal generationdevice 516 (e.g., an integrated speaker). The computer system 500 mayfurther include peripheral device 536 (e.g., wireless or wiredcommunication devices, memory devices, storage devices, audio processingdevices, video processing devices, etc. The computer system 500 mayfurther include a Hardware based API logging framework 534 capable ofexecuting incoming requests for services and emitting execution dataresponsive to the fulfillment of such incoming requests.

The secondary memory 518 may include a machine-readable storage medium(or more specifically a machine-accessible storage medium) 531 on whichis stored one or more sets of instructions (e.g., software 522)embodying any one or more of the methodologies or functions of datamanagement mechanism 110 as described with reference to FIG. 1 and otherfigures described herein. The software 522 may also reside, completelyor at least partially, within the main memory 504 and/or within theprocessor 502 during execution thereof by the computer system 500, themain memory 504 and the processor 502 also constituting machine-readablestorage media. The software 522 may further be transmitted or receivedover a network 520 via the network interface card 508. Themachine-readable storage medium 531 may include transitory ornon-transitory machine-readable storage media.

Portions of various embodiments of the present invention may be providedas a computer program product, which may include a computer-readablemedium having stored thereon computer program instructions, which may beused to program a computer (or other electronic devices) to perform aprocess according to the embodiments of the present invention. Themachine-readable medium may include, but is not limited to, floppydiskettes, optical disks, compact disk read-only memory (CD-ROM), andmagneto-optical disks, ROM, RAM, erasable programmable read-only memory(EPROM), electrically EPROM (EEPROM), magnet or optical cards, flashmemory, or other type of media/machine-readable medium suitable forstoring electronic instructions.

The techniques shown in the figures can be implemented using code anddata stored and executed on one or more electronic devices (e.g., an endstation, a network element). Such electronic devices store andcommunicate (internally and/or with other electronic devices over anetwork) code and data using computer-readable media, such asnon-transitory computer -readable storage media (e.g., magnetic disks;optical disks; random access memory; read only memory; flash memorydevices; phase-change memory) and transitory computer-readabletransmission media (e.g., electrical, optical, acoustical or other formof propagated signals—such as carrier waves, infrared signals, digitalsignals). In addition, such electronic devices typically include a setof one or more processors coupled to one or more other components, suchas one or more storage devices (non-transitory machine-readable storagemedia), user input/output devices (e.g., a keyboard, a touchscreen,and/or a display), and network connections. The coupling of the set ofprocessors and other components is typically through one or more bussesand bridges (also termed as bus controllers). Thus, the storage deviceof a given electronic device typically stores code and/or data forexecution on the set of one or more processors of that electronicdevice. Of course, one or more parts of an embodiment of the inventionmay be implemented using different combinations of software, firmware,and/or hardware.

FIG. 6 illustrates a block diagram of an environment 610 wherein anon-demand database service might be used. Environment 610 may includeuser systems 612, network 614, system 616, processor system 617,application platform 618, network interface 620, tenant data storage622, system data storage 624, program code 626, and process space 628.In other embodiments, environment 610 may not have all of the componentslisted and/or may have other elements instead of, or in addition to,those listed above.

Environment 610 is an environment in which an on-demand database serviceexists. User system 612 may be any machine or system that is used by auser to access a database user system. For example, any of user systems612 can be a handheld computing device, a mobile phone, a laptopcomputer, a work station, and/or a network of computing devices. Asillustrated in herein FIG. 6 (and in more detail in FIG. 7) user systems612 might interact via a network 614 with an on-demand database service,which is system 616.

An on-demand database service, such as system 616, is a database systemthat is made available to outside users that do not need to necessarilybe concerned with building and/or maintaining the database system, butinstead may be available for their use when the users need the databasesystem (e.g., on the demand of the users). Some on-demand databaseservices may store information from one or more tenants stored intotables of a common database image to form a multi-tenant database system(MTS). Accordingly, “on-demand database service 616” and “system 616”will be used interchangeably herein. A database image may include one ormore database objects. A relational database management system (RDMS) orthe equivalent may execute storage and retrieval of information againstthe database object(s). Application platform 618 may be a framework thatallows the applications of system 616 to run, such as the hardwareand/or software, e.g., the operating system. In an embodiment, on-demanddatabase service 616 may include an application platform 618 thatenables creation, managing and executing one or more applicationsdeveloped by the provider of the on-demand database service, usersaccessing the on-demand database service via user systems 612, or thirdparty application developers accessing the on-demand database servicevia user systems 612.

The users of user systems 612 may differ in their respective capacities,and the capacity of a particular user system 612 might be entirelydetermined by permissions (permission levels) for the current user. Forexample, where a salesperson is using a particular user system 612 tointeract with system 616, that user system has the capacities allottedto that salesperson. However, while an administrator is using that usersystem to interact with system 616, that user system has the capacitiesallotted to that administrator. In systems with a hierarchical rolemodel, users at one permission level may have access to applications,data, and database information accessible by a lower permission leveluser, but may not have access to certain applications, databaseinformation, and data accessible by a user at a higher permission level.Thus, different users will have different capabilities with regard toaccessing and modifying application and database information, dependingon a user's security or permission level.

Network 614 is any network or combination of networks of devices thatcommunicate with one another. For example, network 614 can be any one orany combination of a LAN (local area network), WAN (wide area network),telephone network, wireless network, point-to-point network, starnetwork, token ring network, hub network, or other appropriateconfiguration. As the most common type of computer network in currentuse is a TCP/IP (Transfer Control Protocol and Internet Protocol)network, such as the global internetwork of networks often referred toas the “Internet” with a capital “I,” that network will be used in manyof the examples herein. However, it should be understood that thenetworks that one or more implementations might use are not so limited,although TCP/IP is a frequently implemented protocol.

User systems 612 might communicate with system 616 using TCP/IP and, ata higher network level, use other common Internet protocols tocommunicate, such as HTTP, FTP, AFS, WAP, etc. In an example where HTTPis used, user system 612 might include an HTTP client commonly referredto as a “browser” for sending and receiving HTTP messages to and from anHTTP server at system 616. Such an HTTP server might be implemented asthe sole network interface between system 616 and network 614, but othertechniques might be used as well or instead. In some implementations,the interface between system 616 and network 614 includes load sharingfunctionality, such as round-robin HTTP request distributors to balanceloads and distribute incoming HTTP requests evenly over a plurality ofservers. At least as for the users that are accessing that server, eachof the plurality of servers has access to the MTS' data; however, otheralternative configurations may be used instead.

In one embodiment, system 616, shown in FIG. 6, implements a web-basedcustomer relationship management (CRM) system. For example, in oneembodiment, system 616 includes application servers configured toimplement and execute CRM software applications as well as providerelated data, code, forms, webpages and other information to and fromuser systems 612 and to store to, and retrieve from, a database systemrelated data, objects, and Webpage content. With a multi-tenant system,data for multiple tenants may be stored in the same physical databaseobject, however, tenant data typically is arranged so that data of onetenant is kept logically separate from that of other tenants so that onetenant does not have access to another tenant's data, unless such datais expressly shared. In certain embodiments, system 616 implementsapplications other than, or in addition to, a CRM application. Forexample, system 616 may provide tenant access to multiple hosted(standard and custom) applications, including a CRM application. User(or third party developer) applications, which may or may not includeCRM, may be supported by the application platform 618, which managescreation, storage of the applications into one or more database objectsand executing of the applications in a virtual machine in the processspace of the system 616.

One arrangement for elements of system 616 is shown in FIG. 6, includinga network interface 620, application platform 618, tenant data storage622 for tenant data 623, system data storage 624 for system data 625accessible to system 616 and possibly multiple tenants, program code 626for implementing various functions of system 616, and a process space628 for executing MTS system processes and tenant-specific processes,such as running applications as part of an application hosting service.Additional processes that may execute on system 616 include databaseindexing processes.

Several elements in the system shown in FIG. 6 include conventional,well-known elements that are explained only briefly here. For example,each user system 612 could include a desktop personal computer,workstation, laptop, PDA, cell phone, or any wireless access protocol(WAP) enabled device or any other computing device capable ofinterfacing directly or indirectly to the Internet or other networkconnection. User system 612 typically runs an HTTP client, e.g., abrowsing program, such as Microsoft's Internet Explorer browser,Netscape's Navigator browser, Opera's browser, or a WAP-enabled browserin the case of a cell phone, PDA or other wireless device, or the like,allowing a user (e.g., subscriber of the multi-tenant database system)of user system 612 to access, process and view information, pages andapplications available to it from system 616 over network 614. Each usersystem 612 also typically includes one or more user interface devices,such as a keyboard, a mouse, trackball, touch pad, touch screen, pen orthe like, for interacting with a graphical user interface (GUI) providedby the browser on a display (e.g., a monitor screen, LCD display, etc.)in conjunction with pages, forms, applications and other informationprovided by system 616 or other systems or servers. For example, theuser interface device can be used to access data and applications hostedby system 616, and to perform searches on stored data, and otherwiseallow a user to interact with various GUI pages that may be presented toa user. As discussed above, embodiments are suitable for use with theInternet, which refers to a specific global internetwork of networks.However, it should be understood that other networks can be used insteadof the Internet, such as an intranet, an extranet, a virtual privatenetwork (VPN), a non-TCP/IP based network, any LAN or WAN or the like.

According to one embodiment, each user system 612 and all of itscomponents are operator configurable using applications, such as abrowser, including computer code run using a central processing unitsuch as an Intel Pentium® processor or the like. Similarly, system 616(and additional instances of an MTS, where more than one is present) andall of their components might be operator configurable usingapplication(s) including computer code to run using a central processingunit such as processor system 617, which may include an Intel Pentium®processor or the like, and/or multiple processor units. A computerprogram product embodiment includes a machine-readable storage medium(media) having instructions stored thereon/in which can be used toprogram a computer to perform any of the processes of the embodimentsdescribed herein. Computer code for operating and configuring system 616to intercommunicate and to process webpages, applications and other dataand media content as described herein are preferably downloaded andstored on a hard disk, but the entire program code, or portions thereof,may also be stored in any other volatile or non-volatile memory mediumor device as is well known, such as a ROM or RAM, or provided on anymedia capable of storing program code, such as any type of rotatingmedia including floppy disks, optical discs, digital versatile disk(DVD), compact disk (CD), microdrive, and magneto-optical disks, andmagnetic or optical cards, nanosystems (including molecular memory ICs),or any type of media or device suitable for storing instructions and/ordata. Additionally, the entire program code, or portions thereof, may betransmitted and downloaded from a software source over a transmissionmedium, e.g., over the Internet, or from another server, as is wellknown, or transmitted over any other conventional network connection asis well known (e.g., extranet, VPN, LAN, etc.) using any communicationmedium and protocols (e.g., TCP/IP, HTTP, HTTPS, Ethernet, etc.) as arewell known. It will also be appreciated that computer code forimplementing embodiments can be implemented in any programming languagethat can be executed on a client system and/or server or server systemsuch as, for example, C, C++, HTML, any other markup language, Java™,JavaScript, ActiveX, any other scripting language, such as VBScript, andmany other programming languages as are well known may be used. (Java™is a trademark of Sun Microsystems, Inc.).

According to one embodiment, each system 616 is configured to providewebpages, forms, applications, data and media content to user (client)systems 612 to support the access by user systems 612 as tenants ofsystem 616. As such, system 616 provides security mechanisms to keepeach tenant's data separate unless the data is shared. If more than oneMTS is used, they may be located in close proximity to one another(e.g., in a server farm located in a single building or campus), or theymay be distributed at locations remote from one another (e.g., one ormore servers located in city A and one or more servers located in cityB). As used herein, each MTS could include one or more logically and/orphysically connected servers distributed locally or across one or moregeographic locations. Additionally, the term “server” is meant toinclude a computer system, including processing hardware and processspace(s), and an associated storage system and database application(e.g., OODBMS or RDBMS) as is well known in the art. It should also beunderstood that “server system” and “server” are often usedinterchangeably herein. Similarly, the database object described hereincan be implemented as single databases, a distributed database, acollection of distributed databases, a database with redundant online oroffline backups or other redundancies, etc., and might include adistributed database or storage network and associated processingintelligence.

FIG. 7 also illustrates environment 610. However, in FIG. 7 elements ofsystem 616 and various interconnections in an embodiment are furtherillustrated. FIG. 7 shows that user system 612 may include processorsystem 612A, memory system 612B, input system 612C, and output system612D. FIG. 7 shows network 614 and system 616. FIG. 7 also shows thatsystem 616 may include tenant data storage 622, tenant data 623, systemdata storage 624, system data 625, User Interface (UI) 730, ApplicationProgram Interface (API) 732, PL/SOQL 734, save routines 736, applicationsetup mechanism 738, applications servers 700 ₁-700 _(N), system processspace 702, tenant process spaces 704, tenant management process space710, tenant storage area 712, user storage 714, and application metadata716. In other embodiments, environment 610 may not have the sameelements as those listed above and/or may have other elements insteadof, or in addition to, those listed above.

User system 612, network 614, system 616, tenant data storage 622, andsystem data storage 624 were discussed above in FIG. 6. Regarding usersystem 612, processor system 612A may be any combination of one or moreprocessors. Memory system 612B may be any combination of one or morememory devices, short term, and/or long term memory. Input system 612Cmay be any combination of input devices, such as one or more keyboards,mice, trackballs, scanners, cameras, and/or interfaces to networks.Output system 612D may be any combination of output devices, such as oneor more monitors, printers, and/or interfaces to networks. As shown byFIG. 7, system 616 may include a network interface 620 (of FIG. 6)implemented as a set of HTTP application servers 700, an applicationplatform 618, tenant data storage 622, and system data storage 624. Alsoshown is system process space 702, including individual tenant processspaces 704 and a tenant management process space 710. Each applicationserver 700 may be configured to tenant data storage 622 and the tenantdata 623 therein, and system data storage 624 and the system data 625therein to serve requests of user systems 612. The tenant data 623 mightbe divided into individual tenant storage areas 712, which can be eithera physical arrangement and/or a logical arrangement of data. Within eachtenant storage area 712, user storage 714 and application metadata 716might be similarly allocated for each user. For example, a copy of auser's most recently used (MRU) items might be stored to user storage714. Similarly, a copy of MRU items for an entire organization that is atenant might be stored to tenant storage area 712. A UI 730 provides auser interface and an API 732 provides an application programmerinterface to system 616 resident processes to users and/or developers atuser systems 612. The tenant data and the system data may be stored invarious databases, such as one or more Oracle™ databases.

Application platform 618 includes an application setup mechanism 738that supports application developers' creation and management ofapplications, which may be saved as metadata into tenant data storage622 by save routines 736 for execution by subscribers as one or moretenant process spaces 704 managed by tenant management process 710 forexample. Invocations to such applications may be coded using PL/SOQL 734that provides a programming language style interface extension to API732. A detailed description of some PL/SOQL language embodiments isdiscussed in commonly owned U.S. Pat. No. 7,730,478 entitled, “Methodand System for Allowing Access to Developed Applicants via aMulti-Tenant Database On-Demand Database Service”, issued Jun. 1, 2010to Craig Weissman, which is incorporated in its entirety herein for allpurposes. Invocations to applications may be detected by one or moresystem processes, which manage retrieving application metadata 716 forthe subscriber making the invocation and executing the metadata as anapplication in a virtual machine.

Each application server 700 may be communicably coupled to databasesystems, e.g., having access to system data 625 and tenant data 623, viaa different network connection. For example, one application server 700₁ might be coupled via the network 614 (e.g., the Internet), anotherapplication server 700 _(N-1) might be coupled via a direct networklink, and another application server 700 _(N) might be coupled by yet adifferent network connection. Transfer Control Protocol and InternetProtocol (TCP/IP) are typical protocols for communicating betweenapplication servers 700 and the database system. However, it will beapparent to one skilled in the art that other transport protocols may beused to optimize the system depending on the network interconnect used.

In certain embodiments, each application server 700 is configured tohandle requests for any user associated with any organization that is atenant. Because it is desirable to be able to add and remove applicationservers from the server pool at any time for any reason, there ispreferably no server affinity for a user and/or organization to aspecific application server 700. In one embodiment, therefore, aninterface system implementing a load balancing function (e.g., an F5Big-IP load balancer) is communicably coupled between the applicationservers 700 and the user systems 612 to distribute requests to theapplication servers 700. In one embodiment, the load balancer uses aleast connections algorithm to route user requests to the applicationservers 700. Other examples of load balancing algorithms, such as roundrobin and observed response time, also can be used. For example, incertain embodiments, three consecutive requests from the same user couldhit three different application servers 700, and three requests fromdifferent users could hit the same application server 700. In thismanner, system 616 is multi-tenant, wherein system 616 handles storageof, and access to, different objects, data and applications acrossdisparate users and organizations.

As an example of storage, one tenant might be a company that employs asales force where each salesperson uses system 616 to manage their salesprocess. Thus, a user might maintain contact data, leads data, customerfollow-up data, performance data, goals and progress data, etc., allapplicable to that user's personal sales process (e.g., in tenant datastorage 622). In an example of a MTS arrangement, since all of the dataand the applications to access, view, modify, report, transmit,calculate, etc., can be maintained and accessed by a user system havingnothing more than network access, the user can manage his or her salesefforts and cycles from any of many different user systems. For example,if a salesperson is visiting a customer and the customer has Internetaccess in their lobby, the salesperson can obtain critical updates as tothat customer while waiting for the customer to arrive in the lobby.

While each user's data might be separate from other users' dataregardless of the employers of each user, some data might beorganization-wide data shared or accessible by a plurality of users orall of the users for a given organization that is a tenant. Thus, theremight be some data structures managed by system 616 that are allocatedat the tenant level while other data structures might be managed at theuser level. Because an MTS might support multiple tenants includingpossible competitors, the MTS should have security protocols that keepdata, applications, and application use separate. Also, because manytenants may opt for access to an MTS rather than maintain their ownsystem, redundancy, up-time, and backup are additional functions thatmay be implemented in the MTS. In addition to user-specific data andtenant specific data, system 616 might also maintain system level datausable by multiple tenants or other data. Such system level data mightinclude industry reports, news, postings, and the like that are sharableamong tenants.

In certain embodiments, user systems 612 (which may be client systems)communicate with application servers 700 to request and updatesystem-level and tenant-level data from system 616 that may requiresending one or more queries to tenant data storage 622 and/or systemdata storage 624. System 616 (e.g., an application server 700 in system616) automatically generates one or more SQL statements (e.g., one ormore SQL queries) that are designed to access the desired information.System data storage 624 may generate query plans to access the requesteddata from the database.

Each database can generally be viewed as a collection of objects, suchas a set of logical tables, containing data fitted into predefinedcategories. A “table” is one representation of a data object, and may beused herein to simplify the conceptual description of objects and customobjects. It should be understood that “table” and “object” may be usedinterchangeably herein. Each table generally contains one or more datacategories logically arranged as columns or fields in a viewable schema.Each row or record of a table contains an instance of data for eachcategory defined by the fields. For example, a CRM database may includea table that describes a customer with fields for basic contactinformation such as name, address, phone number, fax number, etc.Another table might describe a purchase order, including fields forinformation such as customer, product, sale price, date, etc. In somemulti-tenant database systems, standard entity tables might be providedfor use by all tenants. For CRM database applications, such standardentities might include tables for Account, Contact, Lead, andOpportunity data, each containing pre-defined fields. It should beunderstood that the word “entity” may also be used interchangeablyherein with “object” and “table”.

In some multi-tenant database systems, tenants may be allowed to createand store custom objects, or they may be allowed to customize standardentities or objects, for example by creating custom fields for standardobjects, including custom index fields. U.S. patent application Ser. No.10/817,161, filed Apr. 2, 2004, entitled “Custom Entities and Fields ina Multi-Tenant Database System”, and which is hereby incorporated hereinby reference, teaches systems and methods for creating custom objects aswell as customizing standard objects in a multi-tenant database system.In certain embodiments, for example, all custom entity data rows arestored in a single multi-tenant physical table, which may containmultiple logical tables per organization. It is transparent to customersthat their multiple “tables” are in fact stored in one large table orthat their data may be stored in the same table as the data of othercustomers.

While one or more implementations have been described by way of exampleand in terms of the specific embodiments, it is to be understood thatone or more implementations are not limited to the disclosedembodiments. To the contrary, it is intended to cover variousmodifications and similar arrangements as would be apparent to thoseskilled in the art. Therefore, the scope of the appended claims shouldbe accorded the broadest interpretation so as to encompass all suchmodifications and similar arrangements. It is to be understood that theabove description is intended to be illustrative, and not restrictive.

What is claimed is:
 1. A computer-implemented method comprising:detecting an attempt by a user to manipulate data via a collaborationapplication at a computing system, wherein the attempt includesattempted deletion of the data posted for viewing using thecollaboration application; determining whether the user is authorized tomanipulate the data; and blocking the attempt if the user is notauthorized to manipulate the data.
 2. The computer-implemented method ofclaim 1, wherein determining including matching the attempt with userprivileges listed in an existing user profile to determine whether theuser is authorized to manipulate the data.
 3. The computer-implementedmethod of claim 2, further comprising generating the user profileassociated with a user position of the user within an organization, andupdating the user profile each time a change in the user position isdetected.
 4. The computer-implemented method of claim 1, furthercomprising granting the attempt if the user is authorized to manipulatethe data.
 5. The computer-implemented method of claim 1, furthercomprising displaying an error message notifying the block.
 6. Thecomputer-implemented method of claim 1, wherein the computing systemcomprises one or more of a mobile computing device, a personal digitalassistant (PDA), a handheld computer, an e-reader, a tablet computer, anotebook, a netbook, a desktop computer, a server computer, acluster-based computer, and a set-top box.
 7. A system comprising: acomputing device having a memory to store instructions, and a processingdevice to execute the instructions, wherein the instructions cause theprocessing device to: detect an attempt by a user to manipulate data viaa collaboration application at a computing system, wherein the attemptincludes attempted deletion of the data posted for viewing using thecollaboration application; determine whether the user is authorized tomanipulate the data; and block the attempt if the user is not authorizedto manipulate the data.
 8. The system of claim 7, wherein determiningincluding matching the attempt with user privileges listed in anexisting user profile to determine whether the user is authorized tomanipulate the data.
 9. The system of claim 8, further comprisinggenerating the user profile associated with a user position of the userwithin an organization, and updating the user profile each time a changein the user position is detected.
 10. The system of claim 7, furthercomprising granting the attempt if the user is authorized to manipulatethe data.
 11. The system of claim 7, further comprising displaying anerror message notifying the block.
 12. The system of claim 7, whereinthe computing system comprises one or more of a mobile computing device,a personal digital assistant (PDA), a handheld computer, an e-reader, atablet computer, a notebook, a netbook, a desktop computer, a servercomputer, a cluster-based computer, and a set-top box.
 13. Amachine-readable medium having stored thereon instructions which, whenexecuted by a machine, cause the machine to: detect an attempt by a userto manipulate data via a collaboration application at a computingsystem, wherein the attempt includes attempted deletion of the dataposted for viewing using the collaboration application; determinewhether the user is authorized to manipulate the data; and block theattempt if the user is not authorized to manipulate the data.
 14. Themachine-readable medium of claim 13, wherein determining includingmatching the attempt with user privileges listed in an existing userprofile to determine whether the user is authorized to manipulate thedata.
 15. The machine-readable medium of claim 14, wherein the machineis further to generate the user profile associated with a user positionof the user within an organization, and updating the user profile eachtime a change in the user position is detected.
 16. The machine-readablemedium of claim 13, wherein the machine is further to grant the attemptif the user is authorized to manipulate the data.
 17. Themachine-readable medium of claim 13, wherein the machine is further todisplay an error message notifying the block.
 18. The machine-readablemedium of claim 13, wherein the computing system comprises one or moreof a mobile computing device, a personal digital assistant (PDA), ahandheld computer, an e-reader, a tablet computer, a notebook, anetbook, a desktop computer, a server computer, a cluster-basedcomputer, and a set-top box.